Biometric authentication -- with devices such as fingerprint and retina readers -- has become a commonplace addition...
to many enterprise-class devices, especially notebooks. That's exactly what biometric passwords should be: additions. They should in no way replace pre-existing security measures, but instead provide an extra layer of protection.
Even after all this time, there's still something sexy and science-fictional about simply swiping a finger rather than typing a password. It's easy to get distracted from how biometric passwords should be used. It's tempting to substitute them for traditional passwords entirely, but they're best for specific defense of enterprise assets. If you plan to implement biometric verification as a replacement for -- or at the very least an adjunct to -- conventional passwords, it's wise to keep a few things in mind.
Biometric passwords shouldn't be the only way in
A biometric is often defined as "something you are," as in something that's very difficult to fake having. The most common example is a fingerprint, which governments often use as a strong form of identification. "Strong" doesn't equal "total," however. Consider the use of fingerprints in criminal investigations. If a fingerprint is found at a given location, it's rarely by itself a smoking gun -- it almost always has to be used with other evidence to tie a suspect to a crime.
In the same way, a fingerprint or other biometric password shouldn't be the sole source of a user's identity -- nor should it be the sole way to accredit the user. A laptop that uses a fingerprint at login or boot time should always be backed up with a PIN or a typed password that can be used in case the fingerprint reader in question refuses to work. Most biometric systems provide some fallback mechanism, and it should be used.
Note that biometric passwords are not generally alterable. Fingerprints don't change (except in some rare cases). This stability sounds like a good thing on the surface because it allows IT to strongly identify a given biometric with an individual user.
But by the same token, biometrics can't be revised. If a fingerprint is stolen or copied, and there's some form of security that depends only on that fingerprint, it's broken for good. The only way to change it for that person is to switch to another finger -- and who's to say that all of the victim's fingerprints haven't been copied by then?
Contrast this against the way a traditional password can be handled. You can impose all sorts of restrictions on a password to make it mutable. It might need to be a minimum number of characters long, mixed-case, a combination of letters and numbers, etc. A nonbiometric password might be set to expire after a certain period, and you might need to change it to a password you haven't already used.
When possible, it makes sense to pair biometric passwords with some other form of accreditation that can be freely changed, such as a traditional password, smart card or token generator. The downside is that it adds inconvenience -- many people hate having to swipe a finger and type a password. One possible way around this is to use each form of accreditation for different levels of access, so that users need to provide both credentials only for certain high-security scenarios.
Biometric passwords don't replace real physical security
Just as you shouldn't leave all your credentialing in the hands of a biometric system, you also shouldn't assume that biometric passwords will protect a given system from all forms of attack. Security works in layers, and biometric security works best when it adds a layer to existing physical security measures.
Consider a laptop that has a fingerprint reader and a password-protected user account. To the casual user, this seems perfectly secure. A thief who gets his hands on the machine, however, may well just remove the hard drive from the computer and try mounting it on another machine. If that hard drive is unencrypted, biometric and password security are useless. It's actually worse than useless: You've been lulled into a false sense of security, and perhaps trusted even more sensitive data to a machine that is fundamentally insecure.
If the drive is encrypted, however, and its decryption is tied into the biometric data used to unlock the machine, that's much stronger. It's still not impervious, but it's far less likely to be compromised than something locked with only a thumbprint.
A little research into the vendors of biometric password systems can also help you determine the best way to use those systems. DigitalPersona made one of the first add-on, USB-connected fingerprint readers for PCs, and Validity makes biometric systems for OEMs.
Different ways biometric passwords can be useful
When you deploy biometric security, give some thought to the scope of what's to be protected. It might be more practical to protect a specific volume or device rather than an entire machine.
For example, self-encrypting USB keys that have built-in biometrics are one way to accomplish this. If you use such a device, make sure that it was built according to proper industry standards -- Level 3 or better compliance with the Federal Information Processing standard is recommended.
The best way to think about biometric security in the enterprise is to draw as few parallels as possible with other security methods. Don't think of it as a replacement for a conventional password or smart card, because biometric security doesn't work anything like those technologies. It's a complement to them, and -- most significantly -- to your organization's security measures as a whole.
About the author:
Serdar Yegulalp has been writing about computers and IT for more than 15 years for a variety of publications, including SearchWinIT.com, SearchExchange.com, InformationWeek and Windows magazine.
A desktop admin's guide to passwords in the enterprise
Resetting passwords in the enterprise without the help desk
Don't ignore mobile security effects on enterprise desktop management
Build secure computer password policies
Ten most common enterprise security mistakes that admins still make